CVE-2024-45112

13.09.2024, 09:15

Acrobat Reader versions 24.002.21005, 24.001.30159, 20.005.30655, 24.003.20054 and earlier are affected by a Type Confusion vulnerability that could result in arbitrary code execution in the context of the current user. This issue occurs when a resource is accessed using a type that is not compatible with the actual object type, leading to a logic error that an attacker could exploit. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Type Confusion

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
adobe	CNA	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 21%

Vendor	Product	Version
adobe	acrobat_dc	𝑥 ≤ 24.003.20054
adobe	acrobat_dc	𝑥 ≤ 24.002.21005
adobe	acrobat	24.001.30159 ≤ 𝑥 ≤ 24.001.30159
adobe	acrobat	20.005.30655 ≤ 𝑥 ≤ 20.005.30655
adobe	acrobat_reader_dc	𝑥 ≤ 24.002.20991
adobe	acrobat	𝑥 < 20.005.30680
adobe	acrobat	24.001.0 ≤ 𝑥 < 24.001.30187
adobe	acrobat_dc	24.003.0 ≤ 𝑥 < 24.003.20112
adobe	acrobat_reader	𝑥 < 20.005.30680
adobe	acrobat_reader_dc	24.003.0 ≤ 𝑥 < 24.003.20112

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

References

https://helpx.adobe.com/security/products/acrobat/apsb24-70.html